A method, apparatus, article of manufacture, and a memory structure for issuing digital certificates to a client is disclosed. The method comprises the steps of accepting a digital certificate request from a client in a web server, the digital certificate request comprising at least one client parameter, passing the client parameter to user exit external to the web server via an interface implemented by a servlet property file to determine if a digital certificate should be issued to the client, and transmitting the digital certificate to the client if the external processing module indicates that the digital certificate should be issued to the client. The article of manufacture comprises a data storage device tangibly embodying instructions to perform the method steps described above.
The apparatus comprises means for accepting a digital certificate request with a client parameter from a client in a web server, means for passing the client parameter to an external processing module to determine, among other things, if the digital certificate should be issued to the client, and a means for transmitting the digital certificate to the client.
|
1. A method of issuing digital certificates, comprising the steps of:
accepting a digital certificate request from a client in a servlet implemented in a web server, the digital certificate request comprising at least one client parameter; passing the client parameter to a user exit external to the servlet to determine if a digital certificate should be issued to the client; and transmitting the digital certificate to the client if the external processing module indicates that the digital certificate should be issued to the client.
8. An apparatus for issuing digital certificates, comprising:
means for accepting a digital certificate request from a client in a servlet implemented in a web server, the digital certificate request comprising at least one client parameter; means for passing the client parameter to a user exit external to the servlet to determine if a digital certificate should be issued to the client; and means for transmitting the digital certificate to the client if the external processing module indicates that the digital certificate should be issued to the client.
15. A program storage device, readable by a computer, tangibly embodying at least one program of instructions executable by the computer to perform method steps of issuing digital certificates, the method comprising the steps of:
accepting a digital certificate request from a client in a servlet implemented in a web server, the digital certificate request comprising at least one client parameter; passing the client parameter to a user exit external to the servlet to determine if a digital certificate should be issued to the client; and transmitting the digital certificate to the client if the external processing module indicates that the digital certificate should be issued to the client.
2. The method of
computing a private key and a public key for the client when user exit indicates that the digital certificate should be issued to the client; preparing a digital certificate using the public key and the private key; and transmitting the digital certificate to the client.
4. The method of
encrypting the digital certificate with the client password; and transmitting the encrypted digital certificate to the client.
5. The method of
providing a link to a response page to the client, the response page comprising an entry field for accepting an entered password; transmitting the response page to the client when the link to the response page is selected; receiving the entered password from the client; and transmitting the encrypted digital certificate to the client when the entered password matches the client password.
6. The method of
7. The method of
decrypting the digital certificate with the entered password; and transmitting the encrypted digital certificate to the client when the decrypted digital certificate is a valid certificate.
9. The apparatus of
means for computing a private key and a public key for the client when user exit indicates that the digital certificate should be issued to the client; means for preparing a digital certificate using the public key and the private key; and means for transmitting the digital certificate to the client.
10. The apparatus of
11. The apparatus of
means for encrypting the digital certificate with the client password; and means for transmitting the encrypted digital certificate to the client.
12. The apparatus of
means for providing a link to a response page to the client, the response page comprising an entry field for accepting an entered password; means for transmitting the response page to the client when the link to the response page is selected; means for receiving the entered password from the client; and means for transmitting the encrypted digital certificate to the client when the entered password matches the client password.
13. The apparatus of
14. The apparatus of
means for decrypting the digital certificate with the entered password; and means for transmitting the encrypted digital certificate to the client when the decrypted digital certificate is a valid certificate.
16. The program storage device of
computing a private key and a public key for the client when user exit indicates that the digital certificate should be issued to the client; preparing a digital certificate using the public key and the private key; and transmitting the digital certificate to the client.
17. The program storage device of
18. The program storage device of
encrypting the digital certificate with the client password; and transmitting the encrypted digital certificate to the client.
19. The program storage device of
providing a link to a response page to the client, the response page comprising an entry field for accepting an entered password; transmitting the response page to the client when the link to the response page is selected; receiving the entered password from the client; and transmitting the encrypted digital certificate to the client when the entered password matches the client password.
20. The program storage device of
21. The program storage device of
decrypting the digital certificate with the entered password; and transmitting the encrypted digital certificate to the client when the decrypted digital certificate is a valid certificate.
|
1. Field of the Invention
The present invention relates to systems and methods for securing transmission and receipt of electronic data, and in particular to a method and system providing a web-based digital certificate authority.
2. Description of the Related Art
In recent years, the use of the internet and other electronic communication and message transfer methods have become widespread. While these communication methods have numerous advantages, they are vulnerable to unauthorized tampering. Persons transmitting electronic messages must be assured that their messages are not opened or disclosed to unauthorized persons. Further, the addressee of the electronic message should be certain of the identity of the sender and that the message was not tampered with at some point during transmission. Many methods have been developed to secure the integrity of electronic messages during transmission. Simple encryption is the most common method of securing data. Both secret key encryption such as DES (Data Encryption Standard) and public key encryption methods which use both a public and a private key are implemented.
Although public and private key encryption methods allow users to send internet and e-mail messages without concern that the message will be read by unauthorized persons or that its contents will be tampered with, key cryptographic methods alone do not protect the receiver of the message. That is, they do not allow the recipient to authenticate the validity of the public key or to validate the identity of the sender of the electronic message.
One method for validating the authenticity of a public key is the use of digital certificates. A digital certificate is a signed document attesting to the identity and public key of the person signing the message. Digital certificates prevent impersonation using a phony key pair.
Digital certificates are issued by a digital certificate authority (CA). Certificate authorities typically run in a trustworthy manner and are highly secure. Consequently, although they provide a high degree of security, they are difficult and expensive to implement, and are therefore unsuitable for widespread application, particularly where near-bulletproof security is not necessary or desired. Consider, for example, a driver's license and an auto club card. Both are analogous to a "certificate" in the sense that they certify to a certain extent that the person in possession of the card is who they say they are. The driver's license is issued by a trusted "certificate authority" (the state department of motor vehicles), and is therefore globally accepted (by the issuing CA and all instances that trust the issuing CA) as a genuine indication of the bearer's identity. The auto club card is issued by a "local" certificate authority (the auto club itself), and is not globally accepted as a genuine indication of the bearer's identity and his attributes (i.e. gold membership). However, for the auto club's purposes, it is sufficient to show that the bearer has paid for the auto club's services, and from the auto-club's perspective, is adequate to permit transactions between the bearer and the club.
Digital libraries and other vendors who could benefit from the user of digital certificates are currently faced with the choice of either using a third party CA's services or developing their own CA. Using a third party CA minimizes development costs, but does not allow the vendor to customize the CA to meet its particular requirements. Also, third party CAs generally provide much more security and overhead than is desired or needed, and at a higher cost. Vendors may develop their own CA with certificate toolkits, but the vendor must program everything on its own, and this can be a daunting and expensive task for most. What is needed is a digital certificate authority that provides a less trusted, but more easily implemented indication of identity, and one which allows for easy vendor customization. The present invention satisfies that need.
To address the requirements described above, the present invention discloses a method, apparatus, and article of manufacture for issuing digital certificates.
The method comprises the steps of accepting a digital certificate request from a client in a web server, the digital certificate request comprising at least one client parameter, passing the client parameter to a user exit external to the servlet to determine if a digital certificate should be issued to the client, and if the external processing module indicates that the digital certificate should be issued to the client, transmitting the digital certificate to the client. The article of manufacture comprises a data storage device tangibly embodying instructions to perform the method steps described above.
The apparatus comprises means for accepting a digital certificate request with client parameters from a client in a web server, means for passing the client parameter to an external processing module to determine, among other things, if the digital certificate should be issued to the client, for creating certificates, and a means for transmitting the digital certificate to the client.
Referring now to the drawings in which like reference numbers represent corresponding parts throughout:
In the following description, reference is made to the accompanying drawings which form a part hereof, and which is shown, by way of illustration, several embodiments of the present invention. It is understood that other embodiments may be utilized and structural changes may be made without departing from the scope of the present invention.
Generally, the computer 102 operates under control of an operating system 108 stored in the memory 106, and interfaces with the user to accept inputs and commands and to present results through a graphical user interface (GUI) module 118A. Although the GUI module 118A is depicted as a separate module, the instructions performing the GUI functions can be resident or distributed in the operating system 108, the application program 110, or implemented with special purpose memory and processors. The computer 102 also implements a compiler 112 which allows an application program 110 written in a programming language such as COBOL, C++, FORTRAN, JAVA, or other language to be translated into processor 104 readable code. After completion, the application 110 accesses and manipulates data stored in the memory 106 of the computer 102 using the relationships and logic that was generated using the compiler 112.
In one embodiment, instructions implementing the operating system 108, the computer program 110, and the compiler 112 are tangibly embodied in a computer-readable medium, e.g., data storage device 124, which could include one or more fixed or removable data storage devices, such as a zip drive, floppy disc drive, hard drive, CD-ROM drive, tape drive, etc. Further, the operating system 108 and the computer program 110 are comprised of instructions which, when read and executed by the computer 102, causes the computer 102 to perform the steps necessary to implement and/or use the present invention. Computer program 110 and/or operating instructions may also be tangibly embodied in memory 106 and/or data communications devices, thereby making a computer program product or article of manufacture according to the invention. The application program 110 can also be a service which extends the functionality to the computer 102, e.g. a web server. As such, the terms "article of manufacture" and "computer program product" as used herein are intended to encompass a computer program accessible from any computer readable device or media.
Those skilled in the art will recognize many modifications may be made to this configuration without departing from the scope of the present invention. For example, those skilled in the art will recognize that any combination of the above components, or any number of different components, peripherals, and other devices, may be used with the present invention.
Encryption is the most common method of securing the contents of data, whether in transport or storage. Encryption is the transformation of plaintext data into an unintelligible form known as ciphertext, and is usually accomplished by the application of mathematical algorithms on the plaintext data. These algorithms are defined by parameters known as "keys." Two common encryption methods are symmetric methods which use secret keys, and asymmetric methods which use key pairs of public and private keys.
An advantage of public key cryptography over private key cryptography is increased security, because private keys 208A and 208B need not be transmitted or revealed to anyone. Another advantage of public key cryptography is that it can provide a simple method to create digital signatures. Authentication using only private key cryptography requires the sharing of the secret key, which raises the danger of compromise or forgery.
RSA encryption, named after its M.I.T. inventors Rivest, Shamir, and Adleman, is one example of a public key encryption implementation. RSA can be used in conjunction with DES to establish and provide a secure communication connection. First the message is encrypted with a random DES key, and before being transmitted, the DES key is encrypted with the recipient's (or multiple recipients') public key(s). Both the encrypted message and the encrypted key are sent to the recipient as a digital envelope. When the envelope arrives at the destination, the recipient opens it using the associated private key to decrypt the DES key, and then decrypts the message using the newly acquired DES key. In this manner, RSA and DES are combined to gain the performance advantages of private key encryption and the key management features of RSA.
Authentication allows for the verification that someone or something is valid or genuine. Digital signature authentication allows the receiver of the message to be confident of the identity of the sender and the integrity of the message. The digital signature is an set of data declaring that the named person wrote or otherwise agreed to the document to which the digital signature is attached. Normally, the digital signature is appended to the end of the message. A digital signature can be used for both message and sender authentication. In message authentication, the digital signature is used to verify that the received message was not tampered with, somewhat like a checksum. In sender authentication, a digital signature is used to verify the identity of the originator of a message. Thus, a secure digital signature system provides both a method of signing a document to preclude forgery, and a method of verifying that a signature was actually generated by whomever it represents. A secure digital signature cannot be repudiated; the sender cannot later disown the message by claiming it was forged.
With this implementation, the sending computer's 100A private key 204A is used to create a digital signature, and the sending computer's public key 208B is used to decrypt it. On the receiving computer's 100B side, the application will automatically look up the sending computer's 100A public key 204A, decrypt the digital signature 406, and return confirmation of the source of the message.
Digital signatures can also be used to guarantee the validity of the public key. These digital signatures can be incorporated into a certificate, thereby creating a "signed" document containing a digital signature attesting to the validity and public key of the person signing the message, and preventing one user from impersonating another by using a phony key pair. Along with the public key, the certificate also contains other digital certificate attributes such as expiration date of the key, the name of the issuer of the certificate, the certificate serial number, and the digital signature of certificate issuer. However, a secure, centralized repository is required for storing and managing the keys.
One difficulty in the establishment of a CA is that it must begin with a root certificate that all who verify certificates from the CA and verify signatures from instances which have certificates from the CA must trust. The only way to create digital certificates that everyone can trust is to distribute a root certificate to the CA in a trustworthy way. The CA in possession of the root certificate may issue certificates to other CAs, and the validity of certificates issued by any member of the chain of CAs can be checked, so long as the root certificate is known.
The CA 606 includes a servlet 608 or similar module implemented in the web server 502. Servlets extend a web server's functionality and can be called from remote web browsers. The servlet 608 implements a number of basic functions required to generate and distribute digital certificates, including public and private key generation, determining fixed certificate attributes, and coded program instructions for returning certificate authority decisions to the client computer 100C. The servlet 608 is supplied to the digital certificate provider, thus relieving the provider from the burden of writing and/or managing code to perform key generation (which is computationally intensive) and/or implement the communication protocol between the CA 606 and the client computer 100C (which is difficult to program and troubleshoot).
The servlet 608 also provides one or more user exits 612 via an interface, which allow the digital certificate provider to customize the operation of the certification authority 606. These user exits 612 include for example, certificate provider-defined issuance policies 614. Using the user exits 612 provided by the servlet 608, the digital certificate provider may write simple code (in Java, or a similar language) which defines when and under what circumstances the person using the client computer 100C will be issued a digital certificate. If necessary, the digital certificate provider can use the user exits 612 to pass the client computer's 100C certificate request (and any necessary parameters along with it) to external processing 616, where additional processing may be accomplished to determine whether a digital certificate will be issued to the requesting client 100C.
By way of example, suppose that the digital certificate provider is an Internet-based retail outlet, and the client would like to place an order. The client computer 100C issues a digital certificate request having the customer's credit card number. The digital certificate provider may want to verify that the credit card number is valid before issuing a certificate. In this circumstance, the user exit 612 can be used to contact a credit agency via external processing 616 to verify the credit card number. If the number is verified as genuine, the same user exit 612 can instruct the servlet 608 to begin the process of issuing a digital certificate.
The user exit 612 is programmed by the digital certificate provider, and can perform many functions. For example, the user exit 612 may examine a customer or client database to decide if a digital certificate will be issued. The user exit 612 may also determine that an external information source 814 must be contacted to provide additional information. Client parameters may be provided to the external information source 814 if necessary. The user exit 612 may also determine whether the digital certificate will be issued on-line or off line, based on the issuance policies implemented by the user exit 612 (i.e. if external information is required) or based upon an estimate of the time it will take to issue a certificate. An Interface 610 between the user exit 612 and the servlet 608 is provided by implementing a property file in the servlet 608. The property file comprises parameters such as the name of the CA 606 and the class name of the user exit. Thus, when the servlet 608 is called, the class names of the user exits are read and dynamically linked to. If the user exit 612 determines that the digital certificate will not be issued, it may also return a message indicating why the certificate was denied.
If a digital certificate should not be issued to the requesting client, the user exit provides this determination to the servlet 608, and this information is transmitted to the client 100C, either by posting a web page or by transmitting an electronic mail (e-mail) message to the client's address.
If a digital certificate should be issued, variable certificate attributes are determined 816 (fixed certificate attributes are normally determined by the servlet 608), and processing returns to the servlet 608. The servlet 608 first creates a key pair (including the client's public and private key), then a certificate (by signing the public key and its own private key) then adds its own root certificate, and puts these items together with the private key to build a key ring. The result is stored along with an associated URL 620 in the web server 502. Note that unlike ordinary schemes which require the client to pass a private key 204A to the certificate authority 606, the servlet 608 itself computes both the public and the private key, relieving the browser 604 or other software in the client computer 100C from doing so. Although this requires that the client trusts the CA not to use or disclose the private key, this is largely irrelevant for many applications. The CA 606 knows the private key of every client, and thus, the CA 606 would be capable of forging the signature of any client. However, the CA 606 is maintained by the digital library or retailer, and could only damage itself by doing so. By allowing the CA 606 to compute both the private and public keys, the computational burden is removed from the client, with minimal effective reduction in security.
The servlet 608 also creates a keyring for the client, as shown in block 818. The keyring organizes key pairs and certificates so that they may be easily stored and retrieved by applications running in the client computer 100C.
In one embodiment, the digital certificate request form 618 originally submitted by the client includes an area for inputting a client password. This client password may be used to encrypt the keyring or certificate before saving it in the web server 502, or transmitting it to the client computer 100C, thus providing additional security from interception by third parties. If a client password has been supplied, the key ring is encrypted 820 with the password and stored 822. Normally, the web server 502 does not retain a plaintext copy of the digital certificate or the client password. Since the user alone knows the password, the user's public and private keys, when stored in the web server 502, are secure.
As previously noted, the computation of the private and public keys for the client's digital certificate can be a time-consuming task. Further, if external information is required to decide whether to issue a digital certificate to the requesting client 100C, the time between the request and the availability of the digital certificate may be extensive, for reasons beyond the digital certificate provider's control. Hence, the elapsed time between the request for a digital certificate, and its computation may be fairly lengthy. To account for such delays, the present invention includes both on-line and off-line digital certificate capabilities. In the on-line mode, a link to a page where the digital certificate may be obtained (the dynamic response page) is provided 828 to the requesting client as soon as it becomes available, and the client remains on-line until that page is provided, and the client computer 100C then displays 830 that page. In the off-line mode, discussed further below with reference to
The browser 604 accepts the selection of the link to the dynamic response page, and the completed form is submitted to the web server 502. When the web server 502 receives the link selection, it calls 834 a second servlet routine (denoted RMDownload1CA). The second servlet routine creates 836 the dynamic response page and provides the dynamic response page to the client 100C. In one embodiment, the dynamic response page also comprises a field to enter the client password. After the client 100C enters the client password and transmits the completed dynamic response page to the web server 502, the web server 502 calls a third servlet routine (denoted RMDownload2CA). The second servlet routine accepts the client password entered into the dynamic response page and uses the entered password to decrypt the client's keyring. If the entered password is the same as the client's password (which was used to encrypt the client's keyring), the decrypted keyring will include a valid certificate. If not, the "decrypted" keyring will be unintelligible. If the decrypted keyring includes a valid certificate, the plaintext (decrypted) version of the keyring is discarded, and the encrypted keyring is transmitted to the client as shown in blocks 844, 846, and 848. Hence, by using the entered password to "decrypt" the keyring encrypted with the client's password, and checking to see if the "decrypted" keyring is intelligible, the accepted password is essentially compared to the client's password, and the two must match before the encrypted keyring is transmitted to the client computer 100C.
When a web browser 604 receives a certificate, it normally stores it in its own certificate database, and does not make it available for other applications. However, other applications running on the client computer 100C may need certificate information. For example, the CRYPTOLOPE system available from the IBM Corporation requires access to the certificates. Accordingly, the certificates must be stored in a file so a helper application 602 like CRYPTOLOPE may use them. To provide this capability, the keyring is returned to the client in a form (such as a MIME-type) that a standard web browser 604 will not recognize as a certificate. When the browser 604 receives the key ring and recognizes the data type, it starts a RMReceive routine in the helper application 602. The RMReceive routine transparently manages the keyrings in the client computer 100C. Before the keyring can be used, it must be decrypted by the user. This is accomplished by prompting the user to re-enter the client password, then using the password to decrypt the key ring. The RMReceive routine also looks for an existing private key ring in the client computer 100C. If an existing private keyring is found, RMReceive asks for the passwords to both the new keyring and the existing keyring. After the user successfully enters both passwords, the keyrings are merged together, and password encrypted (using either the password from the existing key ring, the new key ring, or a new password). This is depicted in blocks 850 and 852.
This concludes the description of the preferred embodiments of the present invention. In summary, the present invention describes a method, apparatus, and article of manufacture for issuing digital certificates.
The method comprises the steps of accepting a digital certificate request from a client in a web server, the digital certificate request comprising at least one client parameter, passing the client parameter to user exit external to the web server via an interface implemented by a servlet property file to determine if a digital certificate should be issued to the client, and transmitting the digital certificate to the client if the external processing module indicates that the digital certificate should be issued to the client. The article of manufacture comprises a data storage device tangibly embodying instructions to perform the method steps described above.
The apparatus comprises means for accepting a digital certificate request with a client parameter from a client in a web server, means for passing the client parameter to an external processing module to determine, among other things, if the digital certificate should be issued to the client, a means to create a certificate, and a means for transmitting the digital certificate to the client.
The foregoing description of the preferred embodiment of the invention has been presented for the purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise form disclosed. Many modifications and variations are possible in light of the above teaching. It is intended that the scope of the invention be limited not by this detailed description, but rather by the claims appended hereto. The above specification, examples and data provide a complete description of the manufacture and use of the composition of the invention. Since many embodiments of the invention can be made without departing from the spirit and scope of the invention, the invention resides in the claims hereinafter appended.
Kohl, Ulrich W., Xu, Ling Elizabeth
Patent | Priority | Assignee | Title |
10013705, | Nov 22 1999 | Accenture Global Services Limited | Increased visibility during order management in a network-based supply chain environment |
10229279, | Dec 12 2001 | Intellectual Ventures I LLC | Methods and systems for providing access control to secured data |
10320570, | Aug 30 2016 | Microsoft Technology Licensing, LLC | Digital security certificate selection and distribution |
10454675, | Dec 22 2003 | ASSA ABLOY AB | Trusted and unsupervised digital certificate generation using a security token |
10474795, | Mar 19 2004 | Microsoft Technology Licensing, LLC | Enhancement to volume license keys |
10904241, | Oct 26 2018 | ADVANCED NEW TECHNOLOGIES CO , LTD | Digital certificate management |
11025609, | Oct 30 2017 | ADVANCED NEW TECHNOLOGIES CO , LTD | Digital certificate management |
11157626, | May 29 2019 | Northrop Grumman Systems Corporation | Bi-directional chain of trust network |
6611869, | Oct 28 1999 | McAfee, Inc | System and method for providing trustworthy network security concern communication in an active security management environment |
6816900, | Jan 04 2000 | Microsoft Technology Licensing, LLC | Updating trusted root certificates on a client computer |
6885388, | Apr 25 2001 | WIDEPOINT CYBERSECURITY SOLUTIONS CORPORATION | Method for automatically generating list of meeting participants and delegation permission |
6981148, | Apr 30 1999 | University of Pennsylvania | Method for integrating online and offline cryptographic signatures and providing secure revocation |
7080077, | Jul 10 2000 | ORACLE, USA; Oracle International Corporation; Oracle Corporation | Localized access |
7124101, | Nov 22 1999 | Accenture Global Services Limited | Asset tracking in a network-based supply chain environment |
7124203, | Jul 10 2000 | ORACLE, USA; Oracle International Corporation; Oracle Corporation | Selective cache flushing in identity and access management systems |
7134137, | Jul 10 2000 | ORACLE, USA; Oracle International Corporation; Oracle Corporation | Providing data to applications from an access system |
7143165, | Jan 04 2000 | Microsoft Technology Licensing, LLC | Updating trusted root certificates on a client computer |
7146544, | Oct 01 2003 | Hewlett-Packard Development Company, L.P. | Method and apparatus for supporting error handling in a web presentation architecture |
7165718, | Jan 16 2002 | PATHWAY ENTERPRISES, INC | Identification of an individual using a multiple purpose card |
7185364, | Mar 21 2001 | ORACLE, USA; Oracle International Corporation; Oracle Corporation | Access system interface |
7194764, | Jul 10 2000 | ORACLE, USA; Oracle International Corporation; Oracle Corporation | User authentication |
7216083, | Mar 07 2001 | GLAS AMERICAS LLC, AS THE SUCCESSOR AGENT | Automated transaction machine digital signature system and method |
7225256, | Nov 30 2001 | ORACLE, USA; Oracle International Corporation; Oracle Corporation | Impersonation in an access system |
7231661, | Jun 21 2001 | ORACLE, USA; Oracle International Corporation; Oracle Corporation | Authorization services with external authentication |
7240194, | Mar 22 2002 | Microsoft Technology Licensing, LLC | Systems and methods for distributing trusted certification authorities |
7249369, | Jul 10 2000 | ORACLE, USA; Oracle International Corporation; Oracle Corporation | Post data processing |
7398311, | Jul 10 2000 | Oracle International Corporation | Selective cache flushing in identity and access management systems |
7412719, | May 20 2004 | International Business Machines Corporation | Architecture and design for central authentication and authorization in an on-demand utility environment using a secured global hashtable |
7451116, | Mar 07 2001 | GLAS AMERICAS LLC, AS THE SUCCESSOR AGENT | Automated transaction machine digital signature system and method |
7458096, | Mar 21 2001 | Oracle International Corpration | Access system interface |
7464162, | Jul 10 2000 | ORACLE, USA; Oracle International Corporation; Oracle Corporation | Systems and methods for testing whether access to a resource is authorized based on access information |
7500097, | Feb 28 2005 | Microsoft Technology Licensing, LLC | Extendable data-driven system and method for issuing certificates |
7509489, | Mar 11 2005 | Microsoft Technology Licensing, LLC | Format-agnostic system and method for issuing certificates |
7519812, | Feb 19 2004 | KYNDRYL, INC | Architecture and design for central authentication and authorization in an on-demand utility environment |
7526642, | Oct 09 2002 | Nokia Technologies Oy | Controlling delivery of certificates in a mobile communication system |
7574479, | Jan 24 2006 | Apple Inc | Techniques for attesting to content |
7594107, | Dec 20 1999 | Entrust, Inc. | Method and apparatus for updating web certificates |
7603720, | Apr 29 2002 | The Boeing Company | Non-repudiation watermarking protection based on public and private keys |
7630974, | Sep 28 2004 | ORACLE, USA; Oracle International Corporation; Oracle Corporation | Multi-language support for enterprise identity and access management |
7711843, | Nov 26 2002 | International Business Machines Corporation | Method and a device for making a media file accessible via a web page |
7716077, | Nov 22 1999 | Accenture Global Services Limited | Scheduling and planning maintenance and service in a network-based supply chain environment |
7765298, | Nov 30 2001 | Campbell ERS LLC | Impersonation in an access system |
7788485, | Aug 07 2003 | Method and system for secure transfer of electronic information | |
7788495, | Jun 03 2003 | Microsoft Technology Licensing, LLC | Systems and methods for automated configuration of secure web site publishing |
7788710, | May 20 2004 | International Business Machines Corporation | Architecture and design for central authentication and authorization in an on-demand utility environment using a secured global hashtable |
7814536, | Jul 10 2000 | Oracle International Corporation | User authentication |
7853790, | Mar 19 2004 | Microsoft Technology Licensing, LLC | Enhancement to volume license keys |
7882132, | Oct 09 2003 | ORACLE, USA; Oracle International Corporation; Oracle Corporation | Support for RDBMS in LDAP system |
7904487, | Oct 09 2003 | ORACLE, USA; Oracle International Corporation; Oracle Corporation | Translating data access requests |
7957991, | Nov 22 1999 | Accenture Global Services Limited | Technology sharing during demand and supply planning in a network-based supply chain environment |
7966487, | Jan 09 2004 | ASSA ABLOY AB | Communication-efficient real time credentials for OCSP and distributed OCSP |
7991996, | Feb 19 2004 | KYNDRYL, INC | Architecture and design for central authentication and authorization in an on-demand utility environment |
8032409, | Nov 22 1999 | Accenture Global Services Limited | Enhanced visibility during installation management in a network-based supply chain environment |
8086867, | Mar 26 2002 | Northrop Grumman Systems Corporation | Secure identity and privilege system |
8166549, | Jun 14 2001 | Stragent, LLC | Hash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses |
8185819, | Dec 12 2005 | GOOGLE LLC | Module specification for a module to be incorporated into a container document |
8185830, | Aug 07 2006 | GOOGLE LLC | Configuring a content document for users and user groups |
8204945, | Jun 19 2000 | Stragent, LLC | Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail |
8261975, | Mar 07 2001 | GLAS AMERICAS LLC, AS THE SUCCESSOR AGENT | Automated banking machine that operates responsive to data bearing records |
8271336, | Nov 22 1999 | Accenture Global Services Limited | Increased visibility during order management in a network-based supply chain environment |
8272060, | Jun 14 2001 | Stragent, LLC | Hash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses |
8327149, | May 13 2003 | ASSA ABLOY AB | Efficient and secure data currentness systems |
8341141, | Dec 16 2008 | Method and system for automated document registration | |
8407250, | Aug 07 2006 | GOOGLE LLC | Distribution of content document to varying users with security customization and scalability |
8473735, | May 17 2007 | JPMORGAN CHASE BANK, N A | Systems and methods for managing digital certificates |
8479984, | Mar 07 2001 | GLAS AMERICAS LLC, AS THE SUCCESSOR AGENT | Automated banking machine that operates responsive to data bearing records |
8533453, | Mar 12 2008 | Go Daddy Operating Company, LLC | Method and system for configuring a server and dynamically loading SSL information |
8560366, | Nov 22 1999 | Accenture Global Services Limited | Technology sharing during demand and supply planning in a network-based supply chain environment |
8589372, | Dec 16 2008 | Method and system for automated document registration with cloud computing | |
8688813, | Jan 11 2006 | Oracle International Corporation | Using identity/resource profile and directory enablers to support identity management |
8700486, | Feb 19 2008 | Go Daddy Operating Company, LLC | Rating e-commerce transactions |
8726011, | May 17 2007 | JPMORGAN CHASE BANK, N.A. | Systems and methods for managing digital certificates |
8732023, | Nov 22 1999 | Accenture Global Services Limited | Increased visibility during order management in a network-based supply chain environment |
8819438, | Mar 28 2008 | Electricite de France | Method and device for issuing a digital residence certificate |
8832151, | Aug 07 2006 | GOOGLE LLC | Distribution of content document to varying users with security, customization and scalability |
8914351, | Dec 16 2008 | Method and system for secure automated document registration from social media networks | |
8918713, | Dec 12 2005 | GOOGLE LLC | Module specification for a module to be incorporated into a container document |
8935418, | Mar 21 2001 | Oracle International Corporation | Access system interface |
8954861, | Aug 07 2006 | GOOGLE LLC | Administrator configurable gadget directory for personalized start pages |
9143330, | May 13 2003 | ASSA ABLOY AB | Efficient and secure data currentness systems |
9178888, | Jun 14 2013 | Go Daddy Operating Company, LLC | Method for domain control validation |
9225510, | Aug 17 2010 | Go Daddy Operating Company, LLC | Website secure certificate status determination via partner browser plugin |
9225511, | Aug 17 2010 | Go Daddy Operating Company, LLC | Systems for determining website secure certificate status via partner browser plugin |
9331990, | Dec 22 2003 | ASSA ABLOY AB | Trusted and unsupervised digital certificate generation using a security token |
9521138, | Jun 14 2013 | Go Daddy Operating Company, LLC | System for domain control validation |
9602497, | Dec 22 2003 | ASSA ABLOY AB | Trusted and unsupervised digital certificate generation using a security token |
9674180, | Jan 11 2006 | Oracle International Corporation | Using identity/resource profile and directory enablers to support identity management |
9754040, | Aug 07 2006 | GOOGLE LLC | Configuring a content document for users and user groups |
9916293, | Dec 12 2005 | GOOGLE LLC | Module specification for a module to be incorporated into a container document |
9922345, | Nov 22 1999 | Accenture Global Services Limited | Increased visibility during order management in a network-based supply chain environment |
9967239, | Oct 28 2003 | Malikie Innovations Limited | Method and apparatus for verifiable generation of public keys |
Patent | Priority | Assignee | Title |
5606617, | Oct 14 1994 | Microsoft Technology Licensing, LLC | Secret-key certificates |
5671279, | Nov 13 1995 | Meta Platforms, Inc | Electronic commerce using a secure courier system |
5729594, | Jun 07 1996 | On-line secured financial transaction system through electronic media | |
5737419, | Nov 09 1994 | Verizon Patent and Licensing Inc | Computer system for securing communications using split private key asymmetric cryptography |
5922074, | Feb 28 1997 | EMC IP HOLDING COMPANY LLC | Method of and apparatus for providing secure distributed directory services and public key infrastructure |
5978484, | Apr 25 1996 | Microsoft Technology Licensing, LLC | System and method for safety distributing executable objects |
5982898, | Mar 07 1997 | AT&T Corp. | Certification process |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Dec 22 1998 | International Business Machines Corporation | (assignment on the face of the patent) | / | |||
Jan 26 1999 | XU, LING ELIZABETH | International Business Machines Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 009769 | /0022 | |
Feb 03 1999 | KOHL, ULRICH W | International Business Machines Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 009769 | /0022 | |
Mar 31 2014 | International Business Machines Corporation | LinkedIn Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 035201 | /0479 |
Date | Maintenance Fee Events |
Nov 18 2005 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Jan 21 2010 | M1552: Payment of Maintenance Fee, 8th Year, Large Entity. |
Mar 14 2014 | REM: Maintenance Fee Reminder Mailed. |
Jun 24 2014 | M1553: Payment of Maintenance Fee, 12th Year, Large Entity. |
Jun 24 2014 | M1556: 11.5 yr surcharge- late pmt w/in 6 mo, Large Entity. |
Date | Maintenance Schedule |
Aug 06 2005 | 4 years fee payment window open |
Feb 06 2006 | 6 months grace period start (w surcharge) |
Aug 06 2006 | patent expiry (for year 4) |
Aug 06 2008 | 2 years to revive unintentionally abandoned end. (for year 4) |
Aug 06 2009 | 8 years fee payment window open |
Feb 06 2010 | 6 months grace period start (w surcharge) |
Aug 06 2010 | patent expiry (for year 8) |
Aug 06 2012 | 2 years to revive unintentionally abandoned end. (for year 8) |
Aug 06 2013 | 12 years fee payment window open |
Feb 06 2014 | 6 months grace period start (w surcharge) |
Aug 06 2014 | patent expiry (for year 12) |
Aug 06 2016 | 2 years to revive unintentionally abandoned end. (for year 12) |